Recently, I met a friend who looked stressed. He returned home from work only to find out that someone had broken into his online accounts. Naturally, he was concerned about the data, but also the amount of time it would take to fix the problem. I told him an easy way to reduce the risk of account breaches is to use something called “two factor authentication” or 2FA.
What is Two Factor Authentication (2FA)?
The name two factor authentication sounds complex to a lot of people. Chances are you’ve already used it in some capacity, but didn’t know it by that name. Basically, it means that before you can get access to some service, you need to have 2 items. These include:
- Something you know (usually your account name and password)
- Something you have in your possession (security key, application, hardware token or code)
- Some physical attribute (fingerprint, facial recognition, retina)
When you think of getting cash from an ATM, you’re using a similar process. You have to have both your bank card and your PIN. The online world can work in a similar fashion. Instead of just relying on an account name and password, you can add a second level of protection before people get access. This is important when you think of how many times you hear of security problems from large companies. It’s doubly important if you tend to use the same account name and password on multiple sites like my friend.
Online Services that Use 2FA
At this point you might be thinking, that 2FA is fine but you don’t have any services that use it. You probably do, but many sites hide the feature. Here are some you might know:
Granted the above companies are household names, but there are smaller players too. The best way to find out who offers this security feature is to go to https://twofactorauth.org/
This is a site started by Josh Davis, an Amazon engineer. The site provides a number of ways to find sites that use two factor authentication and additional information. The site is very easy to use and presents the information in a nice grid.
- There is a search bar at the top where you can enter in a service name. As you start typing the site will show possible matches.
- You can also filter by category. In my example, I’m using the Backup and Sync category.
- Any alerts or exceptions about the company or service.
- A link to that company’s documentation on 2FA.
- An indication of what authentication types the company uses. You’ll also note that you can send a tweet to the company asking for them to support 2FA.
Once you drill down, additional information appears.
There are a number of methods you can use for two factor authentication. I think one of the easiest is from Google and it’s called Google Authenticator. Most sites that show a check in the Software Token column should work. However, there are a number of options in case you don’t like Google. They all work in a similar fashion in that they generate a one-time numeric pass code on a mobile device. These include:
- Install Google Authenticator from the appropriate app store.
- Using the 2 Factor Auth list site, find the service page that has the instructions.
- Look for a QR code  that you can scan with your phone or tablet. Your device should have the ability to scan bar codes. If it doesn’t, you can find free apps.
- Enter the one-time code  that Google Authenticator displays into your service’s confirmation box. (See screen snap above ) You’ll see a circle next to the code that represents how much time remains . When the circle clears, a new code is generated.
Google Authenticator will add your service. Some services allow you to provide a label  which is helpful as you’ll probably use 2FA on multiple sites.
Although 2FA is more secure, it’s not bulletproof. This is especially true with SMS. While this is better than nothing, SMS is not as secure as you might think. There have been a number reports where SMS were intercepted. Wired magazine had a nice article on this that you might want to read.
And there are still people who try to trick you into giving up security information. Security Affairs reported an incident where people were tricking users into revealing their 2FA code.
Another downside is that you may not be able to transfer your 2FA information when you get a new phone. The setup process doesn’t take a lot of time, but sometimes you need to take additional steps with the provider to remove the previous setup.
If you want to reduce the chances of someone breaking into your accounts, I would suggest you look at the two factor authentication programs.
Gotchas and Takeaways
As much as I like 2FA, I have to admit there are some aspects that can “bite you in the butt”. Earlier this month, I had to do a factory reset of my cell phone which has Google Authenticator. I knew I needed to download the app again and go through the setup process. What I didn’t realize was that some of the services I use had terrible fallback procedures. Most services will have a backup method so you can get back to your account. The typical means include a SMS code or a stored list of private codes that you enter into the app. However, some services tell you to call customer support. In one case, my provider wanted a notarized letter.
My suggestion before you do a factory reset on your cell phone, or get a new one, is to double-check your services. Where possible get a copy of the one time codes you’ll need or set up SMS. If you have a provider that doesn’t have a fallback method, I’d suggest deactivating the service until you get the phone working. While its OK to keep hackers away, it’s exceedingly frustrating when you’re the one locked out.